[euro_expat]

Tor however has always made the disclaimer that even basic correlation attacks will defeat its anonymity. People use it as the de facto tool for beating the big guys, but it provides no such capability or claim of such. This seems to not be so well known though.

[belorn]

The only thing that can work against big national agencies is security in depth, in which tor can be part. Tor is also better than nothing, which is a better de factor tool than plain text.

In modern society everything gather meta data. The phone, the credit card, the mass transit system, cameras with face recognition, the isp, all the routers between A and B, the devices people own, the platforms they socialize on. Its almost impossible to make a face to face meeting without allowing nation agencies to know about it. A leaker wanting to talk to a journalist without risking becoming a target might not be 100% protected by tor, but then I don't know any single better method right now. Some combination of obfuscation, encryption, mixing, and plausible deniability seems to be the best bet.

[Astarte]

>Some combination of obfuscation, encryption, mixing, and plausible deniability seems to be the best bet.

Go on.

[belorn]

Ie, talk in code, use VPN, use shared communication streams like Tor, and make your behavior look legit and boring. Of course I am not speaking as a professional opsec specialist agent.

As far as you know.

[DyslexicAtheist]

not making such claims is a the only way to be taken seriously by the community it serves. Those using tor-browser know it's a best effort approach.

The same attitude should be expected from all InfoSek vendors. But it's easier to sell a product with claims it will protect you rather than saying the truth (that it's riddled with edge-cases like everything else).

Tor, unlike many of the VPN companies, thankfully lack a marketing department trying to push it with incorrect claims about its alleged ability.

edit: if the threat model is to protect against corporate mass-surveillance ("the big guys"), then Tor is incredibly effective. They wouldn't go through the trouble to identify and blacklist exit nodes and present users with a captcha otherwise. (ofc assuming that it is used correctly: never log in, or if you must only log-in with sock-puppet identities etc).

[Astarte]

>They wouldn't go through the trouble to identify and blacklist exit nodes and present users with a captcha otherwise.

Do you really think they care about that 1% (made up number) of Tor users using their service legitimately? Or do they just want to avoid being attacked or their service being abused?